Polymarket Denies Data Breach After Hacker Claims Theft of 300,000 Records
Prediction markets platform Polymarket has refuted allegations of a data breach after a hacker, operating under the pseudonym xorcat, posted claims on the dark web that they had stolen over 300,000 records, including 10,000 unique user profiles containing full names, profile images, proxy wallets, and base addresses. The screenshots of the post, shared by cybersecurity firm Vecert Analyzer and dark web monitoring accounts on X (formerly Twitter), surfaced on Tuesday.
Polymarket dismissed the claims as "complete and utter nonsense," asserting that the allegedly stolen data was already publicly accessible via its API endpoints and on-chain records. The platform emphasized that its transparency as a blockchain-based service means all data is auditable by design a feature, not a vulnerability. In a follow-up statement, Polymarket mocked the hacker’s attempt to monetize freely available information, questioning whether venture capital funding had backed the stunt.
The hacker, however, argued that the data was obtained through undocumented API endpoints, pagination bypasses, and CORS misconfigurations in Polymarket’s Gamma and CLOB APIs. Xorcat also claimed to have breached other prediction markets and threatened to release additional data in the coming days. The motive, according to the hacker, was Polymarket’s lack of a bug bounty program though the platform has had an active program since April 16, receiving 446 reports as of Wednesday.
Security experts have cast doubt on the breach claims. Vladimir S, Chief Security Officer at Legalblock, suggested the incident appeared to be a case of parsed public data being misrepresented as a database leak.
The incident comes amid a surge in crypto-related exploits, with blockchain security firm Hacken reporting $482 million in losses across 44 Web3 incidents in Q1 2026. Polymarket’s denial highlights the ongoing tension between transparency in decentralized platforms and the risks of data exposure.
Source: https://cryptonews.net/news/security/32780895/
Polymarket TPRM report: https://www.rankiteo.com/company/polymarket
"id": "pol1777458829",
"linkid": "polymarket",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '10,000 unique user profiles '
'(alleged)',
'industry': 'Blockchain / Cryptocurrency',
'name': 'Polymarket',
'type': 'Prediction Markets Platform'}],
'attack_vector': 'API Misconfiguration (Undocumented endpoints, CORS '
'misconfigurations, pagination bypasses)',
'data_breach': {'data_exfiltration': 'Claimed by hacker, denied by Polymarket',
'number_of_records_exposed': '300,000 (alleged)',
'personally_identifiable_information': 'Full names, profile '
'images, wallet '
'addresses',
'sensitivity_of_data': 'High (PII and cryptocurrency wallet '
'information)',
'type_of_data_compromised': 'User profiles (full names, '
'profile images, proxy wallets, '
'base addresses)'},
'description': 'Prediction markets platform Polymarket has refuted '
'allegations of a data breach after a hacker, operating under '
'the pseudonym *xorcat*, posted claims on the dark web that '
'they had stolen over 300,000 records, including 10,000 unique '
'user profiles containing full names, profile images, proxy '
'wallets, and base addresses. Polymarket dismissed the claims '
'as publicly accessible data via its API endpoints and '
'on-chain records, while the hacker argued the data was '
'obtained through undocumented API endpoints, pagination '
'bypasses, and CORS misconfigurations.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'allegations',
'data_compromised': '300,000 records (alleged), including 10,000 '
'unique user profiles with full names, profile '
'images, proxy wallets, and base addresses',
'identity_theft_risk': 'High (PII exposed: full names, wallet '
'addresses)',
'payment_information_risk': 'High (proxy wallets and base '
'addresses exposed)',
'systems_affected': 'Gamma and CLOB APIs'},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened by hacker'},
'investigation_status': 'Ongoing (disputed claims)',
'motivation': 'Lack of bug bounty program (disputed by Polymarket)',
'post_incident_analysis': {'root_causes': 'Disputed: API misconfigurations '
'(hacker claim) vs. public data '
'parsing (Polymarket claim)'},
'references': [{'source': 'Vecert Analyzer'},
{'source': 'Dark web monitoring accounts on X (formerly '
'Twitter)'},
{'source': 'Polymarket statements'}],
'response': {'communication_strategy': 'Public denial, assertion of data '
"transparency, mocking hacker's "
'claims'},
'threat_actor': 'xorcat',
'title': 'Polymarket Denies Data Breach After Hacker Claims Theft of 300,000 '
'Records',
'type': 'Data Exposure / Alleged Breach',
'vulnerability_exploited': 'Undocumented API endpoints, CORS '
'misconfigurations, pagination bypasses'}